Overview
SignPath helps you control access to your code signing certificates. You have to decide how many code signing certificates you need in your organization. Depending on your business model, you might want to use one certificate across your entire organizations or have separate certificates for each project or customer.
Test and Release certificates
- Use test certificates during the development process. You can test your release process and sign every build. Test certificates are not created by a commercial CA and are therefore not trusted by operating systems or browsers. Artifacts that were mistakenly or even maliciously signed by a test certificate cannot affect your users and customers. You can read more about how to roll out and manage test certificates in your infrastructure in the knowledge base.
- Use dedicated release certificates for each published version of your software. SignPath allows you to enforce stricter policies for release certificates.
Certificate types
With SignPath, you have the following options for creating or importing a certificate:
- Self-signed X.509 certificates are not signed by any certificate authority and therefore not trusted. You can use them for testing your release process.
- X.509 certificate signing requests (CSRs) can be created using SignPath. You can use the CSR to purchase a certificate from a trusted certificate authority (CA). By creating a CSR, you ensure that the private key is created directly on our hardware security module (HSM) and cannot be compromised. This is the recommended way for securing your code signing process.
- PFX-imported X.509 certificates: If you already own a certificate, you can simply upload it. However, as your private key may have already been exposed, we recommend to use PFX imports only as a temporary solution. (Only available for RSA keys.)
- GPG keys are certificates based on the OpenPGP standard, also known as GPG or GnuPG. They can be used to sign arbitrary files using GPG detached signature file. It is also the foundation of many Linux and Open Source signing formats including RPM and Debian package signing.
GPG keys and certificates
Available for Advanced Code Signing, Code Signing Gateway.
In the world of GPG, certificates are known under various names:
- Certificate or Transferable Public Keys according to OpenPGP
- GPG keys or GPG public keys in everyday usage (which can be confusing as public key usually means the public part of an asymmetfic cryptographic key pair)
SignPath uses the term GPG key to denote this type of Certificate.
These terms all refer to a specific file format that includes the actual public key, the key holder’s identity (name and email address), expiration, and other data.
Unlike X.509, GPG does not define a Public Key Infrastructure (PKI) based on Certificate Authoities (CAs). Instead, GPG certificates are usually provided as downloads on a separate channel and/or published on an OpenPGP Key server.
Restrictions
SignPath allows you to configure restrictions for certificates. You can, for instance, specify that all signing requests that are using the certificate must be manually approved.